Issue 52 | September 20, 2017

#DataInsecurity Digest: The Equifax issue

Editor’s Note: The scope—and botched handling—of the Equifax breach appears to have created an inflection point in the national debate about data security. Much like the Target breach created momentum for policy change in 2013, the Equifax breach has added new impetus to a debate that many viewed as stalled. As the FTC, CFPB, and Congress investigate, consumer advocates like NCL are warning that Congress should not lose this opportunity to take action to reduce the risks to consumers’ sensitive data. This special edition of The #DataInsecurity Digest is focused exclusively on the ongoing policy fallout from the Equifax breach.

On to the clips!

-----------------

NCL calls on Congress to pass data broker regulation, automatic repayments in wake of Equifax breach. NCL is urging Congress to come down hard on data brokers like Equifax to require stronger data security protections and serious penalties when breaches occur. “What is to prevent any company that collects our most private data from exposing millions of consumers to theft if there are few serious consequences?” said NCL’s Sally Greenberg. “Where are the incentives to protect our data? That is what is lacking today and why we see breach after breach.” (Source: National Consumers League)

Nearly half of U.S. consumers affected in Equifax’s 143 million account breach. The unprecedented breach compromised consumers’ personal information including Social Security numbers, birth dates, and (in some cases) driver's license numbers. Although this is not the largest breach in history, many analysts fear that this breach could be the most harmful to consumers. The information compromised will make victims vulnerable to identity theft for years to come. This assessment has led security experts like @avivahl to comment that, "On a scale of one to 10, this is a 10 in terms of potential identity theft..." (Source: CBS News)

The Equifax breach was preventable. @jeffjohnroberts reports that the hackers entered the system through a known vulnerability in the website framework known as “Apache Struts.” Apparently, this vulnerability had a fix available since March 6. “In other words, Equifax had ample opportunity to patch its systems but apparently failed to do so.” (Source: Fortune)

To make things worse … Equifax tried to hide arbitration clauses in the terms of service of its “free” credit monitoring service. In the wake of the breach, Equifax offered consumers a year of “free” credit monitoring. However, @teresamurray reports that victims who signed up for the free monitoring and identity theft protection would not be able to sue Equifax in connection with disagreements over those services as a result of the binding arbitration clause buried in the fine print of the terms of service. However, thanks to consumer outrage, Equifax “has changed its plans to prohibit consumers from filing lawsuits if they sign up for free help.” (Source: The Plain Dealer)

The FTC and CFPB are investigating. Both federal consumer watchdog agencies took the unusual step of announcing their investigations. The FTC’s Peter Kaplan commented that while “[t]he FTC typically does not comment on ongoing investigations...in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.” Source: Los Angeles Times)

Senator Warner (D-VA) calls for stronger data security protections. The ranking Democrat on the Senate Intelligence Committee commented that the massive breach “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans." (Source: CNET)

Congress responds with a flurry of hearings. There are currently three hearings in the works regarding the Equifax breach. On October 3, Equifax CEO Richard Smith will give testimony before the House Energy and Commerce Committee. The House Financial Services Committee and House Judiciary Committee will also each hold hearings. Rep. Bob Goodlatte (R-VA), Chairman of the House Judiciary Committee, told @MorningCybersec that he plans to use the hearing to "review our current laws to determine if they can be strengthened to better prevent cyberattacks and protect Americans' privacy." (Source: Politico and The Hill)

Congress tees up several fraud fighting data security bills. @b_fung and @hshaban report that Rep. Ted Lieu (D-CA) is drafting two bills, “one creating minimum data security standards for credit reporting agencies, and another that would bar firms from forcing victims of data breaches into arbitration.” Meanwhile, Sen. Mark Warner (D-VA.) is also working on “reviving efforts to pass a data breach notification law, requiring companies to notify customers about a breach within a certain narrow time frame.” (Source: Washington Post)

Events

February 28, 2018 - Privacy Con 2018, Washington, DCIn February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.